[580 edited, words, first published 2012/11/20]
What can we make of this successful example of Enterprise Risk Management implementation, which has stood the test of time, and was praised by the Auditor General? Are there implications for others contemplating ERM for their organizations?
I believe the answer is an emphatic yes! This case shows important lessons for any organization, whether they be large or small, and whether they be public sector, “arms-length” or private sector — simply because the implementation was not bespoke for a college, but rather relied on generic precepts of risk management and perennial principles of successful program implementation.
The success accomplished by the Camosun team is indeed all the more remarkable when taking into account the sheer size of the organization and number of departments involved; the complexity of the culture (characterized first by its division into administrative and academic parts); and the fact that the implementation team crushed the industry wisdom by putting in place in merely 18 months what was commonly assumed to take 3-5 years!
This case was ideal in the sense that the initiative followed a logical order, where the appreciation of core concepts and demonstration of value preceded the main work of implementation.
We saw (in previous posts in this series) how the Board was not just intrigued with the concept of Enterprise Risk Management, but was determined to adopt it in such a way as to really enhance accountability.
Appreciation of the methodology was gained by senior executive when they directly participated in a session to apply High Quality Risk Assessment to the institution’s strategic plan. Thus, they were able to observe, assess and adjust the core practice, while simultaneously mitigating risk detected in their strategic initiatives. Their advocacy for use of this risk ID and assessment process for others therefore had that much more credibility.
Principles of program implementation
Rather than fall prey to the administrative missteps that so often cause management initiatives to fail, the implementation team carefully observed certain principles of successful roll-out that hold in any organizational setting. They allowed users to prove to themselves the value and utility of the risk process, avoiding a command-and-control, monolithic, blanket-style implementation that would have alienated faculty and staff. They followed careful, incremental trials that allowed end-users the chance to tweak and adjust procedural details that would better suit the culture. Finally, they persevered to solve minor challenges and work with late adopters until the ERM initiative could definitively be called a success.
Tools and Templates
Links to policy, tools and templates developed by the Camosun team are listed in part 4 of this blog post series.
Note here some important points: Many of the tools listed (still on the website after many years!) are only one or two page documents. It is not through great length and complexity that ERM tools are effective. It is by answering an administrative need in once consice step (example: a context paper to prep a risk ID session).
The templates are not only germane to this case study of effective Enterprise Risk Management implementation, they are freely available for anyone to peruse and emulate. Note finally that a smaller, less complex organization may prefer not only reduce the size of the core policy document, but also perhaps simplify some of the templates.
Auditor General’s Testimony
(11 June 2012) Camosun College risk management framework: example of “good governance” (J. Doyle, BC Auditor General) Crown Agency Board Governance (scroll to page 607)